OpenFPC + Debian Squeeze

OpenFPC é projetado para permitir que uma ferramenta de captura de tráfego de rede escalar em ambas as direções horizontal e vertical. É um sistema distribuído ligado entre si utilizando vias de comunicação e proxies para integrar SOC (Security Center Operacional). Para ajudar ainda mais a explicar o método de implantação e arquitectura, permite cobrir algumas tarefas comuns e ver como elas são executadas enquanto se olha para um simples diagrama.

Terminologia

Dispositivo Cliente

Um computador usando pelo analista. Um ambiente de perl é necessário os SOs testados são (Linux e OSX). Este dispositivo cliente executa o programa ofpc-client.pl

OFPC - Slave

Este é um sistema que captura o tráfego de rede (através do daemonloggger). Em alguns ambientes apenas um Slave é usado, mas dependendo da estrutura podemos ter vários Slaves ligados entre si com um Master.

OFPC - Master

Sistema “proxy” que encaminha um pedido de tráfego para qualquer dispositivo Salve, ou outro dispositivo ofpc Master intermediário. Não captura o tráfego, apenas encaminha pedidos PCAP e fornece os resultados de volta para o cliente.

Vamos a instalação do OpenFPC

Prepare o seu sistema com o seguinte script http://wiki.douglasqsantos.com.br/doku.php/confinicialsqueeze_en para que não falte nenhum pacote ou configuração.

Vamos atualizar os repositórios e fazer um upgrade do sistema

aptitude update && aptitude dist-upgrade -y

Agora vamos instalar as dependências

apt-get install apache2 tcpdump tshark libarchive-zip-perl \
  libfilesys-df-perl libapache2-mod-php5 mysql-server php5-mysql \
  libdatetime-perl libdbi-perl libdate-simple-perl php5-mysql \
  libterm-readkey-perl libdate-simple-perl libtimedate-perl \
  build-essential  libpcap-dev libcap-dev daemonlogger -y

Durante a instalação do MySQL, você vai ser questionado sobre a senha que é a senha para o usuário root.

Agora vamos obter os pacotes de código fonte necessários para o openfpc

Todos os códigos vão ser inseridos no diretório /usr/local/src

Agora vamos acessar este diretório antes de continuar

cd /usr/local/src

Agora vamos obter o libdnet e vamos instalar

cd /usr/local/src
wget  -c http://wiki.douglasqsantos.com.br/Downloads/ips/libdnet-1.12.tgz
tar -zxf libdnet-1.12.tgz && cd libdnet-1.12
./configure --prefix=/usr --enable-shared
make && make install

Agora vamos obter o cxtracker e vamos instalar

cd /usr/local/src/
wget  -c http://wiki.douglasqsantos.com.br/Downloads/ips/cxtracker_0.9.5-1_amd64.deb
dpkg -i cxtracker_0.9.5-1_amd64.deb

Agora vamos obter e instalar o openfpc

cd /usr/local/src/
wget  -c http://wiki.douglasqsantos.com.br/Downloads/ips/openfpc-0.6-314.tgz
tar xzvf openfpc-0.6-314.tgz
cd openfpc-0.6-314/

Vamos instala-lo

./openfpc-install.sh install

**************************************************************************
 *  <nowiki>OpenFPC</nowiki> installer - Leon Ward (leon@openfpc.org) v0.6
    A set if scripts to help manage and find data in a large network traffic
    archive. 

    - http://www.openfpc.org 

[*] Detected distribution as DEBIAN

[-] Checking for apache2 ...
    apache2 Okay
[-] Checking for daemonlogger ...
    daemonlogger Okay
[-] Checking for tcpdump ...
    tcpdump Okay
[-] Checking for tshark ...
    tshark Okay
[-] Checking for libarchive-zip-perl ...
    libarchive-zip-perl Okay
[-] Checking for libfilesys-df-perl ...
    libfilesys-df-perl Okay
[-] Checking for libapache2-mod-php5 ...
    libapache2-mod-php5 Okay
[-] Checking for mysql-server ...
    mysql-server Okay
[-] Checking for php5-mysql ...
    php5-mysql Okay
[-] Checking for libdatetime-perl ...
    libdatetime-perl Okay
[-] Checking for libdbi-perl ...
    libdbi-perl Okay
[-] Checking for libdate-simple-perl ...
    libdate-simple-perl Okay
[-] Checking for php5-mysql ...
    php5-mysql Okay
[-] Checking for libterm-readkey-perl ...
    libterm-readkey-perl Okay
[-] Checking for libdate-simple-perl ...
    libdate-simple-perl Okay
/usr/bin/cxtracker
* Found cxtracker in your $PATH (good)
 -  Installing modules to /usr/local/lib/site_perl
 -  Installing PERL module Parse.pm
 -  Installing PERL module Request.pm
 -  Installing PERL module CXDB.pm
 -  Installing PERL module Common.pm
 -  Installing PERL module Config.pm
 -  Installing <nowiki>OpenFPC</nowiki> prog: openfpc-client
 -  Installing <nowiki>OpenFPC</nowiki> prog: openfpc-queued
 -  Installing <nowiki>OpenFPC</nowiki> prog: openfpc-cx2db
 -  Installing <nowiki>OpenFPC</nowiki> prog: openfpc
 -  Installing <nowiki>OpenFPC</nowiki> prog: openfpc-dbmaint
 -  Installing <nowiki>OpenFPC</nowiki> conf: etc/openfpc-default.conf
 -  Installing <nowiki>OpenFPC</nowiki> conf: etc/openfpc-example-proxy.conf
 -  Installing <nowiki>OpenFPC</nowiki> conf: etc/routes.ofpc
 -  Installing css
 -  Installing images
 -  Installing includes
 -  Installing index.php
 -  Installing javascript
 -  Installing login.php
 -  Installing useradd.php
 -  Installing extract.cgi
 -  Installing /etc/init.d//openfpc-daemonlogger
 -  Installing /etc/init.d//openfpc-cx2db
 -  Installing /etc/init.d//openfpc-cxtracker
 -  Installing /etc/init.d//openfpc-queued
[*] Enabling and restarting Apache2
Enabling site openfpc.apache2.site.
Run '/etc/init.d/apache2 reload' to activate new configuration!
Reloading web server config: apache2.
[*] Updating init config with update-rc.d
update-rc.d: using dependency based boot sequencing
[*] Adding user openfpc
update-rc.d: using dependency based boot sequencing
update-rc.d: using dependency based boot sequencing
update-rc.d: using dependency based boot sequencing

**************************************************************************
[*] Installation Complete 

    <nowiki>OpenFPC</nowiki> should now be installed and ready for *configuration*.
   
    1) Go configure /etc/openfpc/openfpc-default.conf
       (Make sure you change the usernames and passwords!)
    2) Start <nowiki>OpenFPC</nowiki>
       $ sudo openfpc --action start
    3) If you want to use the <nowiki>OpenFPC</nowiki> GUI, you MUST create the GUI database
       - Install Mysql
       - Create the DB with the command...
         sudo ./openfpc-dbmaint create gui /etc/openfpc/openfpc-default.conf
    4) Decide if you want to enable session searching
       See -> http://www.openfpc.org/documentation/enabling-session-capture

Agora vamos ao openfpc-default.conf e vamos substituir alguns valores

vim /etc/openfpc/openfpc-default.conf
#Nome do Nodo
NODENAME=IDS
[...]
#Descrição do Nodo 
DESCRIPTION="IDS <nowiki>OpenFPC</nowiki> node"
[...]
#Vamos escolher a interface 
INTERFACE=eth0
[...]
#Vamos habilitar a sessão 
ENABLE_SESSION=1
[...]
#Configuração para o banco
SESSION_DB_NAME=openfpc
SESSION_DB_USER=openfpc
SESSION_DB_PASS=senha
SESSION_DB_HOST=127.0.0.1
[...]
#Configuração para o cliente 
GUI_DB_NAME=openfpcgui
GUI_DB_PASS=senha
GUI_DB_USER=openfpcgui
[...]
#Usuário para acesso web 
USER=admin=senha

Agora vamos importar a base de dados

openfpc-dbmaint create session /etc/openfpc/openfpc-default.conf
[*] Enter mysql "root" credentials to connect to your local mysql server in order to create the databases
    DB root Username: root
    DB root Password: #senha ---------------------------------------------------------
[*] Working on Instance /etc/openfpc/openfpc-default.conf .
    Would you like session capture ENABLED on IDS? (y/n)y
[-] Enabling session capture in IDS config
    Done.
[-] Found cxtracker.
CREATING DATABASE
---------------------------
Session DB Created.
Adding function INET_ATON6... to DB openfpc
[*] Restarting <nowiki>OpenFPC</nowiki>

###############################################################################
[*] <nowiki>OpenFPC</nowiki> instance openfpc-default.conf
 -  NODENAME:              IDS 
 -  DESCRIPTION:           "IDS <nowiki>OpenFPC</nowiki> node." 
 -  STATUS :               ENABLED
 -  PORT:                  4242
 -  INTERFACE:             eth0
 -  FULL PACKET CAPTURE:   ENABLED
 -  PACKET STORE:          /var/tmp/openfpc/pcap
 -  SESSION DATA SEARCH:   ENABLED
 -  SESSION DATABASE NAME: openfpc
Stopping Daemonlogger...                                              Not running
Stopping <nowiki>OpenFPC</nowiki> Queue Daemon (IDS)...                                Not running
Stopping <nowiki>OpenFPC</nowiki> cxtracker (IDS)...                                   Not running
Stopping <nowiki>OpenFPC</nowiki> Connection Uploader (IDS)...                         Not running
###############################################################################
[*] <nowiki>OpenFPC</nowiki> instance openfpc-example-proxy.conf
 -  NODENAME:              Example_Proxy 
 -  DESCRIPTION:           "An example <nowiki>OpenFPC</nowiki> Proxy config. www.openfpc.org" 
 -  STATUS :               DISABLED
 -  PORT:                  4243
###############################################################################
[*] <nowiki>OpenFPC</nowiki> instance openfpc-default.conf
 -  NODENAME:              IDS 
 -  DESCRIPTION:           "IDS <nowiki>OpenFPC</nowiki> node." 
 -  STATUS :               ENABLED
 -  PORT:                  4242
 -  INTERFACE:             eth0
 -  FULL PACKET CAPTURE:   ENABLED
 -  PACKET STORE:          /var/tmp/openfpc/pcap
 -  SESSION DATA SEARCH:   ENABLED
 -  SESSION DATABASE NAME: openfpc
Starting Daemonlogger (IDS)...                                             Done
Starting <nowiki>OpenFPC</nowiki> Queue Daemon (IDS)...                                     Done
Starting <nowiki>OpenFPC</nowiki> cxtracker (IDS)...                                        Done
Starting <nowiki>OpenFPC</nowiki> Connection Uploader (IDS) ...                             Done
###############################################################################
[*] <nowiki>OpenFPC</nowiki> instance openfpc-example-proxy.conf
 -  NODENAME:              Example_Proxy 
 -  DESCRIPTION:           "An example <nowiki>OpenFPC</nowiki> Proxy config. www.openfpc.org" 
 -  STATUS :               DISABLED
 -  PORT:                  4243

Agora vamos criar um usuário para o acesso à web no banco de dados

openfpc-dbmaint create gui /etc/openfpc/openfpc-default.conf
[*] Enter mysql "root" credentials to connect to your local mysql server in order to create the databases
    DB root Username: root
    DB root Password: #senha
[*] Enter an initial username for the first <nowiki>OpenFPC</nowiki> GUI user
    GUI Username: admin
    GUI Password: #senha
    Email address: douglas@douglas.wiki.br
    Real Name: Douglas
USER=admin=senha
FOUND USER admin IN /etc/openfpc/openfpc-default.conf
CREATING GUI DATABASE
---------------------------
GUI DB Created.
New user admin added.
[*] Restarting <nowiki>OpenFPC</nowiki>

###############################################################################
[*] <nowiki>OpenFPC</nowiki> instance openfpc-default.conf
 -  NODENAME:              IDS 
 -  DESCRIPTION:           "IDS <nowiki>OpenFPC</nowiki> node." 
 -  STATUS :               ENABLED
 -  PORT:                  4242
 -  INTERFACE:             eth0
 -  FULL PACKET CAPTURE:   ENABLED
 -  PACKET STORE:          /var/tmp/openfpc/pcap
 -  SESSION DATA SEARCH:   ENABLED
 -  SESSION DATABASE NAME: openfpc
 -  SESSION LAG:           0
Stopping Daemonlogger...                                              Not running
Stopping <nowiki>OpenFPC</nowiki> Queue Daemon (IDS)...                                     Done
Stopping <nowiki>OpenFPC</nowiki> cxtracker (IDS)...                                        Done
Stopping <nowiki>OpenFPC</nowiki> Connection Uploader (IDS)...                              Done
###############################################################################
[*] <nowiki>OpenFPC</nowiki> instance openfpc-example-proxy.conf
 -  NODENAME:              Example_Proxy 
 -  DESCRIPTION:           "An example <nowiki>OpenFPC</nowiki> Proxy config. www.openfpc.org" 
 -  STATUS :               DISABLED
 -  PORT:                  4243
###############################################################################
[*] <nowiki>OpenFPC</nowiki> instance openfpc-default.conf
 -  NODENAME:              IDS 
 -  DESCRIPTION:           "IDS <nowiki>OpenFPC</nowiki> node." 
 -  STATUS :               ENABLED
 -  PORT:                  4242
 -  INTERFACE:             eth0
 -  FULL PACKET CAPTURE:   ENABLED
 -  PACKET STORE:          /var/tmp/openfpc/pcap
 -  SESSION DATA SEARCH:   ENABLED
 -  SESSION DATABASE NAME: openfpc
 -  SESSION LAG:           1
Starting Daemonlogger (IDS)...                                             Done
Starting <nowiki>OpenFPC</nowiki> Queue Daemon (IDS)...                                     Done
Starting <nowiki>OpenFPC</nowiki> cxtracker (IDS)...                                        Done
Starting <nowiki>OpenFPC</nowiki> Connection Uploader (IDS) ...                             Done
###############################################################################
[*] <nowiki>OpenFPC</nowiki> instance openfpc-example-proxy.conf
 -  NODENAME:              Example_Proxy 
 -  DESCRIPTION:           "An example <nowiki>OpenFPC</nowiki> Proxy config. www.openfpc.org" 
 -  STATUS :               DISABLED
 -  PORT:                  4243
[*] DB Configured and admin user added. Now navigate to http://<ip.add.re.ss>/openfpc/

Agora é só acessar http://ip_servidor/openfpc usuário:admin senha: senha

Agora vamos ver os pacotes capturados

mysql -u root -p -D openfpc -e 'select count(*) from session'
Enter password: 
+----------+
| count(*) |
+----------+
|      830 |
+----------+